First of all, let me state that this is not my idea and I don't want to discuss whether such an action is reasonable.

However, for a company, is there a way to prevent employees to access public cloud services? In particular, they should not be able to upload files to any place on the web.

Blocking HTTPS might be a first, simple, but very radical solution. Using a blacklist of IP addresses wouldn't suffice either. Probably, some kind of software is needed to filter the traffic on a content level. A proxy might be helpful, to be able to filter HTTPS traffic.

One of our clients (we do other stuff for them) tunnels all traffic through a proxy which gets observered by bluecoat.com A lot of sites (file storage, gaming, hacking, media...) are blocked. I really hate it...
–
ReenoFeb 10 '14 at 15:42

43

I understand why you say that you don't want to discuss this, but that skates over one of the biggest parts of a good sysadmin's job description: speaking truth unto power. Sometimes, an idea is prima facie stupid; other times, it's not a bad idea, but it's a social / business idea, and not best suited to a technical solution. In both cases, the only correct thing for a sysadmin to do is to turn around and say "no".
–
MadHatterFeb 10 '14 at 16:20

3

@MadHatter Still, apart from this initial intuition we share, I attempt to at least present what would be technically possible. Apart from that, I agree.
–
marszeFeb 10 '14 at 16:37

8

Isn't this what management and Acceptable Use Policies are for ?
–
IainFeb 10 '14 at 16:45

6

possible: their computers are never ever connected to the internet, they are not allowed any camera (cellphone included, obviously) or recording device (such as a pen) in the office, office that has no window that you could open or see through. Also, your users need to be fully body-searched and memory-erased each time they leave the office, otherwise they may memorize something an put it on the internet later!
–
njzk2Feb 10 '14 at 19:05

This is going to be absolutely massive if it's meant to be even remotely effective.

Tech-savvy users will always be able to find a way around it - I can connect to my computer from anywhere in the world with an internet connection, so... good luck blocking me, for example.

Do something more reasonable/recognize the limits of technology.

This isn't your idea, but generally, if you provide management with the pitfalls and expense of implementing a solution like this, they'll be more open to better approaches.

Sometimes this is a compliance thing, or "just for appearances," and they're happy with just blocking the most popular services

Sometimes they genuinely don't understand how insane their request is, and need you to tell them in terms they can understand.

Had a client once a few jobs back who wanted us to provide a way to stop employees from leaking confidential information with our AV agent. I whipped out my smartphone, took a picture of my screen, and asked him how he could possibly prevent that, or even writing the information down on apiece of paper.

Use the news and recent events in your explanation - if the Army couldn't stop Manning, and the NSA couldn't stop Snowden, what makes you think we can do it, and how much money do you think even trying will cost?

Good answer. The request really can not be dealt with outside actualyl of 2.a - using a WHITELIST. And then hiring people to manage it ;) Because man, it will be a lot of work. Possibly less than a blacklist though. And still achieve nothing (nice idea with the smartphone). Surreal request.
–
TomTomFeb 10 '14 at 14:37

1

@TomTom Yeah, I thought about the whitelist, but everywhere I've ever seen, the whitelist of the parts of the internet they want to access is vastly larger than the blacklist of the services they are irrationally afraid of/don't want employees accessing.
–
HopelessN00b♦Feb 10 '14 at 14:41

1

I think it depends. For example on my company the whitelist would just be maybe 300 items. Required for business. A blacklist will start handling everything. On top, the whitelist you win (alyways valid, starts with 0 entries) - the blacklist you don't even know where to start. But generally, those are futile attempts.
–
TomTomFeb 10 '14 at 14:44

2

IMHO, blocking the 10 most obvious sites would probably achieve 95% of what management is after. No one cares about the few nerds that will tunnel around the block.
–
Steve BennettFeb 11 '14 at 23:10

3

@SteveBennett While this is probably true, it's not safe to assume that management doesn't care about the 5% and/or people who can and will circumvent the system. If the technical resources doesn't let management know about the system's limitations, it'll be the technical resources whose heads roll when someone uploads all the company's IP to BitTorrent (or whatever incident brings this issue back into management's attention).
–
HopelessN00b♦Feb 11 '14 at 23:28

There is no way to block it completely, of course, unless the corporate network were to be disconnected from the Internet.

If you really want something that should work most of the time while being mostly transparent, you'll need to deep-sniff packets. Set up a man-in-the-middle SSL/TLS proxy, as well as one for unencrypted communication, and block all traffic that doesn't go through one of these.

Block HTTP PUT requests

Block all HTTP POST requests where the content-type is not application/x-www-form-urlencoded or multipart/form-data

For HTTP POST requests of type multipart/form-data, strip out fields with a content-disposition of "file" (but let other fields through).

Block FTP, BitTorrent, and SMTP traffic

Block all traffic to the major Webmail services, and to the major public file storage sites.

As you can see, this is a massive and painful undertaking. It's also far from invulnerable: I'm thinking of several workarounds even as I write this, some of which can't be handled without fundamentally breaking your users' Web connections, and there will probably be comments showing many more that I didn't think of. But it should let most traffic through, while filtering out the easiest ways to eliminate file uploading.

The bottom line is that this is more trouble than it is worth.

The best answer would be to enter into a kind of negotiation with your bosses: find out what they really want (likely either protection of trade secrets or liability prevention), and point out why these unworkable technological measures will not get them what they want. Then you can work out solutions to their problems that do not involve unworkable technological measures.

Don't worry about ideology in these discussions: all you have to do is focus on what will work and what will not. You'll find all the arguments you need there, and while this will no doubt frustrate both you and your bosses, it avoids passing value judgments against them (which might be deserved, but will only cause talks to break down, and that is Bad).

I have a friend with a job at a government agency where she isn't allowed to bring a cellphone with a camera to the office. She usually phrases that as, "I'm not allowed to own a cellphone with a camera," because, well. If she can't take her cell with her, why own one? She has trouble finding cellphones that don't have cameras.

An official policy that accessing your personal email from your workstation is a firing offense.

An official policy that accessing a cloud service from your workstation is a firing offense.

An official policy that plugging a thumb drive, ipod, or cell phone into a workstation is a firing offense.

An official policy that accessing social media from your workstation is a firing offense.

An official policy that installing unauthorized software on your workstation is a firing offense.

An official policy that accessing your personal online banking from your workstation is a firing offense.

An epic corporate firewall/proxy that has many/most of those sites blocked. Any attempt to access facebook.com, for example, prompts a screenful of "This site blocked by ETRM." They occasionally blocked things like Stack Overflow as "hacking" as well.

Some "offenses" merit an email sent to your entire team stating that you accessed an unauthorized site (as opposed to firing... this time). ("Katherine Villyard accessed http://icanhas.cheezburger.com/ at 3:21pm!")

Forcing all new hires to take "security policy" class explaining these rules, and forcing people to take regular refresher courses on these rules. And then take and pass a quiz on them.

Places that rely on Administrative Fascism generally only make cursory attempts to back up these rules via technical means, in my experience. For example, the they say they'll fire you if you plug in a thumb drive, but they don't disable USB. They block Facebook via http but not via https. And, as HopelessN00b pointed out, savvy users know and mock this.

There are actually technical solutions you can rely on to disable USB devices (every AV agent I've seen in years can do this fairly effectively), or block access to [some] well-defined categories of websites. The problem for the OP is that "public cloud"/"places users can upload data" isn't a well defined category (and won't be anytime soon), so he can't even suggest a webfilter as a solution to the problem... he's gonna have to make a custom blacklist or convice management to see reason.
–
HopelessN00b♦Feb 10 '14 at 14:45

I know, and I agree. I certainly didn't present that list to endorse it as a course of action. :)
–
Katherine VillyardFeb 10 '14 at 14:52

9

Technically the public clouds includes every hoster as it is trivial to rent a website and put a file upload thing there. Ouch. Non-solvable problem.
–
TomTomFeb 10 '14 at 15:15

For many years, employees at my father's workplace were not permitted to carry phones with a camera in the office. Eventually, the company transitioned to a policy of allowing company phones (blackberries at the time, iphones now), but not personal phones.
–
Brian SFeb 10 '14 at 16:12

To get on the Internet, people then need to either use a different computer - connected to a different network - or connect via RDP to a Terminal Server which has Internet access. You disable clipboard over RDP and no windows share. That way, users can't copy files onto the Internet Terminal Servers and thus can't send files out.

That leaves email... that is your biggest loophole in this if you allow email on the internal PCs.

Sound snippy, but sadly that is the truth. Pretty much the only way to solve this.
–
TomTomFeb 10 '14 at 15:15

2

We have this solution (Internet and email via terminal server only) already in place for parts of our company. However, for the software developers, having no Internet access at all would obviously be really troublesome...
–
marszeFeb 10 '14 at 16:00

@marsze - I have seen it solved with a whitelist proxy where the few things the programmers need directly on their box (like Maven repo) are allowed through proxy.
–
ETLFeb 10 '14 at 16:01

1

That leaves a pen and a paper, or simply memory.
–
njzk2Feb 10 '14 at 19:06

@marsze I worked at a company with separated networks that did this by giving the developers two machines. One beefy one for doing development work, connected to the internal-access-only network, and another one (thin client, or old clunker box) that was connected to a network that had internet access. An effective, if simplistic and more expensive solution.
–
HopelessN00b♦Feb 13 '14 at 1:22

You know that old joke that, if you and a halfling are chased by an angry dragon, you don't have to run quicker than the dragon, you only have to be quicker than the halfling? Assuming non-malicious users*, you don't have to restrict their access to the public cloud, it is enough to make the usability of the public cloud lower than the usability of whatever enterprisey solution you have for non-desk-bound data access. Properly implemented, this will reduce the risk of non-malicious leaks sharply, and is doable with a fraction of the cost.

In most cases, a simple blacklist should suffice. Put Google drive, Dropbox and the Apple cloud on it. Also block traffic to Amazon AWS - most of these hot startups who build yet another cloud service don't build their own data center. You just reduced the number of employees who know how to get into the public cloud from 90% to 15% (very rough numbers, will differ by industry). Use a suitable error message to explain why public clouds are forbidden, which will reduce their impression of wanton censorship (sadly, there will always be users not willing to understand).

The remaining 15% can still reach providers not on the blacklist, but they probably won't bother to do it. Google drive and co are subject to strong positive network effects (the economic kind, not the technical kind). Everybody uses the same 2-3 services, so they get built in everywhere. Users build convenient, streamlined workflows which include these services. If the alternative cloud provider cannot be integrated into such a workflow, the users have no incentive to use it. And I hope that you have a corporate solution for the most basic usage of a cloud such as storing files in a central place, reachable from a physical location outside of the campus (with VPN if security is needed).

Add to this solution a good deal of measurement and analytics. (This is always needed where users are concerned). Take samples of traffic, especially if exhibiting suspicious patterns (upstream traffic in bursts large enough to be upload of documents, directed at the same domain). Have a human look at the identified suspicious domains, and if you find that it is a cloud provider, find out why users are using it, talk with management about providing an alternative with equal usability, educate the offending user about the alternative. It would be great if your corporate culture allows you to gently reeducate caught users without implementing disciplinary measures the first times - then they will not be trying to hide from you especially hard, and you will be able to easily catch deviations and deal with the situation in a way which reduces the security risk but still allows the user to do his job efficiently.

A reasonable manager** will understand that this blacklist will lead to productivity losses. The users had a reason to use the public cloud - they are incentivized to be productive, and the convenient workflow increased their productivity (including the amount of unpaid overtime they are willing to do). It is a manager's job to evaluate the trade off between productivity loss and security risks and tell you if they are willing to let the situation as-is, to implement the black list, or to go for secret-service-worthy measures (which are severely inconvenient and still don't provide 100% security).

[*] I know that people whose job is security think of criminal intent first. And indeed, a determined criminal is much harder to stop and can inflict much worse damage than a non-malicious user. But in reality, there are few organisations which get infiltrated. Most security problems are related to the goofiness of well-meaning users who don't realize the consequences of their actions. And because there are so many of them, the threat they pose should be taken as seriously as the more dangerous, but much rarer, spy.

[**] I am aware that, if your bosses already made that demand, chances are that they are not the reasonable type. If they are reasonable but just misguided, that's great. If they are unreasonable and stubborn, this is unfortunate, but you must find a way to negotiate with them. Offering such a partial solution, even if you can't get them to accept it, can be a good strategic move - properly presented, it shows them that you are "on their side", take their concerns seriously, and are prepared to search for alternatives to technically infeasible requirements.

While you can, in principle, prevent uploading of any documentation for all known possible mechanisms, you won't be able to prevent zero-day exploits (or the equivalent to you) from being used.

That said, an authenticating firewall to identify both the user and the workstation, can be implemented to restrict access with ACL that you desire. You can incorporate a reputation service as described in some of the other answers to help your managing the process.

The real question is to ask whether is this about security, or is this about control? If it is the first, then you need to understand the cost threshold your managers are prepared to pay. If it is the second, then probably a large visible theatre will be sufficient to convince them you have delivered, with minor exceptions.

You need a content filtering device or service, such as BlueCoat Secure Web Gateway, or a firewall with content filtering, such as a Palo Alto firewall. Products like this have broad category filters that include online storage.

BlueCoat even offers cloud-based service where you can force your laptop users to connect through a proxy service that runs locally on their computer, but takes content filtering rules from a central source.

Cons: A big list, sometimes it could hurts the performance of the firewall of the system (usually it does!). Sometimes it could be bypassed.

WhiteList

Instead of relies in a big list of blacklisted sites, some companies uses a whitelist where users can only access to the whitelisted sites.

Pro : easy to manage.

Cons : it hurts productivity.

Block the size of the information send (POST/GET).

Some firewall allows to block the size of information send, rendering impossible to send some files.

Pro: Easy to manage.

Cons : some users could bypass it by sending files in small chunks. It could breaks some websites, for example, some Java and Visual Studio's winforms sites send a lot of information regularly.

Block non HTTP connections.

Pro: easy to configure.

Cons : it could breaks current systems.

In my experience, i worked for a bank. The administrators blocked the access to the usb driverand access some restricted sites (blacklist). However, i created a php file in a free webhosting and i can upload my files without any problem (using a regular website). It took me 5 minutes to do that.

I agree with some comments, is easy and more effective to use a human resource rules.

A recent idea was a combined approach: a blacklist for HTTP, a whitelist for HTTPS. As for the other solutions: it will always be necessary to test what can be implemented without breaking existing systems, because this differs from case to case.
–
marszeFeb 12 '14 at 7:40